Securing HAQM S3 Glacier with a customer-managed encryption key

Customer-managed encryption keys are a common architecture requirement within highly regulated workloads. This post demonstrates how to satisfy this requirement within HAQM Simple Storage Service (HAQM S3), including HAQM S3 Glacier.

We also clarify some common points of confusion and demonstrate how objects can be uploaded directly to HAQM S3 Glacier via HAQM S3, which can help meet regulatory requirements as well as potentially save budget.

Background

HAQM S3 is a highly scalable, reliable, fast, and inexpensive data storage service. HAQM S3 offers a range of storage classes designed for different use cases. HAQM Glacier is a secure, durable, and low-cost solution for long-term data archival storage and digital preservation (like tape backups). HAQM S3 Glacier is both a standalone service and an HAQM S3 storage class.

HAQM S3 Glacier can be used without using direct Application Programming Interface (API) or the AWS Management Console (although those options still exist). Instead, you can view and use HAQM S3 Glacier as if it is another storage class within HAQM S3.

There are two sets of AWS documentation regarding HAQM S3 Glacier depending on your chosen API. One set of documents refers to the standalone service; the other discusses use of HAQM S3 Glacier as an HAQM S3 storage class.

What to know

1. HAQM S3 Glacier can be accessed directly or via HAQM S3.
2. You can use the HAQM S3 Console or API as your default for all HAQM S3 Glacier interactions.
   • This can eliminate the concepts of “Vaults” and “Archives” and instead treat everything as an object in an HAQM S3 bucket.
   • Consider replacing “Vault Lock” with “S3 Object Lock.”
3. Refer to HAQM S3 Documentation first. When you need detail beyond this, consult the HAQM S3 Glacier (stand-alone) Documentation.
4. Be mindful of documentation and forum discussion referring to “HAQM Glacier.”

Demonstration overview

In this blog post, I demonstrate how to upload an object to HAQM S3 Glacier via HAQM S3 using a custom encryption key.

Prerequisites

To complete this on your own, you need the following:

• An AWS account
• AWS Identity and Access Management (AWS IAM) permissions for HAQM S3, HAQM S3 Glacier, and AWS Key Management Service (AWS KMS)
• A symmetric, AWS KMS, Customer-Managed Key (CMK) – Documentation
• An S3 Bucket (How to create a bucket)

Demonstration

• Within the AWS Management Console, navigate to the HAQM S3 Service.

• HAQM S3 is a global service; a specific region selection within the console is not applicable as shown here.

• Navigate within a desired destination S3 bucket.
• Select Upload.

• Select an example object to upload.

• Select Next until you arrive at the #3 “Set Properties” menu.
• Select the HAQM S3 Storage Class of HAQM Glacier.

• Select upload and your object is uploaded to Glacier using server-side encryption with your KMS Customer Managed Key as the Private Key. This action could also be completed via AWS command-line interface (CLI) or a desired software development kit (SDK) via API.
• The encrypted upload is complete. In Figure 1 below, we see the object was encrypted using the specified encryption key (see “Server-side Encryption” set to “AWS-KMS”) and then archived into HAQM S3 Glacier (see “Storage Class” set to “Glacier”).

Additional Resources

• HAQM S3 Documentation
• HAQM S3 Glacier (stand-alone) Documentation
• HAQM S3 Storage Classes
• AWS Announces New HAQM S3 Features that Simplify the Use of the HAQM S3 Glacier Storage Class for Archival Workloads in All AWS Regions

Conclusion

You’re now equipped with additional clarity on the interoperability between HAQM Glacier and HAQM S3. I encourage you to look for ways in which you can employ this information in support of your organization’s mission to increase security and save costs.

Happy building!